Intrusive regulation could destroy the flexibility the private sector needs to protect itself

Much of the cyber threat -- whether this is to critical infrastructure, the economy or the security of individuals -- takes the form of attacks on organizations outside government control.

Systems controlling everything from utilities to healthcare, food distribution, financial services, public events and telecommunications -- in fact in almost any area of the economy -- could be vulnerable and thus pose a threat to some aspect of national security, stability or prosperity.

The challenge for governments is how to ensure that private sector organisations 'up their game' in cyber security, not just to protect themselves, but to ensure the wider economic and physical infrastructure is not affected.

The World Economic Forum refers to 'risk in a hyper-connected world' in which the subject of a cyber attack may not be the entity that bears the eventual impact. Take, for example, the victims of fraud. They may not have actually suffered a breach of their own systems, the cyber attack may have targeted others who hold information about them. Within this context, there is a growing argument for regulation to ensure that commercial entities play their part in protecting both themselves and others.

However, in trying to raise cyber security standards in the private sector, there is a danger that government intervention might have little effect or even make matters worse.

There are a range of behaviours and capabilities that need to be fostered within private sector organizations; pushing too hard to achieve some of these may inhibit others, potentially worsening the situation. Thus any intervention needs to be judged on its impact on all desired capabilities and behaviours, not just individual outcomes in isolation.

Clarifying these issues is all the more important now that the European Commission is about to propose legislation affecting the private sector. The US legislature struggled to agree on similar legislation in 2012, but can be expected to revisit the topic in due course.

The need for balance

As an example, consider the objective of ensuring private sector organizations implement good Information Assurance, that is good practice in building and operating IT systems.

Clearly this is a laudable aim. It could be achieved in isolation by legislation requiring compliance with stringent standards, accompanied by an audit regime and penalties for non-compliance. However, such an approach would be likely to in-hibit other objectives required for delivering strong cyber security across the private sector. For example: It may cause companies to refrain from sharing threat information or suspicions of sophisticated cyber-attacks, many of which would not be prevented by compliance to accepted Information Assurance standards. By doing so they might inadvertently reveal instances where their Information Assurance was not perfect.

It may discourage companies from investing in innovative monitoring which could identify breaches from attacks that would not have been stopped by compliance to Information Assurance standards alone. Such a capability, by identifying breaches, risks undermining an organization's compliance position.

Likewise, suppose there were a legislative or regulatory regime requiring all known cyber breaches to be reported. The simplest way to satisfy such a regime would be for private sector organizations to ensure that more sophisticated breaches remain 'unknown'. Clearly this is the opposite of what is needed for effective cyber security.

What might a balanced set of objectives look like?

In order to design an effective approach to achieve strong cyber defences across the private sector, it is first necessary to define the required set of objectives and behaviours. To stimulate debate, the following are proposed as a set of capabilities and behaviours that together would lead to significantly improved cyber security across the private sector:

1. Strong preventative defences:

The first requirement for cyber security is to ensure that business processes are appropriately configured to be resilient in cyberspace. In addition, two essential elements to making organisations' systems and transactions less vulnerable to cyber breaches are the focus of much regulatory and legislative attention:

* Good basic IT Hygiene (Information Assurance) -- for example, ensuring that systems and networks are securely configured and patched and anti-virus defences are maintained.

* Strong authentication mechanisms -- to ensure that access to systems and key transactions are authenticated to a high level.

These preventative measures alone are not sufficient to protect organizations from cyber attack. The sophistication and dynamic nature of cyber threats means that not all attempts to breach systems or transactions can be prevented, but they can be managed and have their impact reduced through these additional capabilities.

2. Ability to detect and search out cyber attacks, coupled with rapid and wide-ranging response ability:

Cyber attacks that have circumvented initial preventative measures can be stopped from causing harm through rapid detection and response.

However, this capability needs to extend far beyond just security monitoring of an organization's own systems and needs to include:

* Ability to detect breaches of systems belonging to customers, partners (eg in the supply chain), and staff where such breaches could have an impact on the organisation in question;

* Ability to contain immediate impact of attack.

* Ability to search for wider impact than is immediately obvious.

These capabilities require a dynamic and innovative approach -- constantly seeking to stay one step ahead of attackers. For that reason, it is difficult and even counter-productive to attempt to impose standardised approaches.

3. Transparent information and intelligence sharing:

The dynamic nature of cyber threats means that every organization, both within government and the private sector, must co-operate widely -- none can defend themselves in isolation.

It is only through detailed understanding of threats that organizations can design effective defences, and understanding of the threats will only come through co-operation.

Co-operation requires sharing of intelligence and information to facilitate systemic defence. Information shared needs to be highly specific, in near real-time and include not just details of confirmed malicious activities, but also suspicious activity -- since many threats now require 'joining of dots' across organizations in order to be understood.

Sharing of intelligence and information is often most effective when voluntary, since then experts are in a position to share freely, quickly and in confidence, without having to sanitize information unduly.

Good models have been built within some industry sectors, such as defence and banking, to share information between companies -- even competitors -- for the common good, and also to and from law enforcement and government agencies, with confidentiality and trust paramount.

In some circumstances, reporting impact of breaches to a central authority is beneficial, but generally only where there is a defined action to be taken with the information reported -- such as fraud monitoring or card re-issuance for stolen credit card information.

How might this be achieved?

The first priority is for authorities to be clear as to the full set of desired or requi-red capabilities across the private sector.

Any proposed intervention should then be measured against impact on that full set and not just one or two objectives in isolation.

Once a full set of required capabilities is defined, the most sensible focus for any intervention is development of incentives or requirements for boards to ensure those capabilities are developed and monitored in the best manner for their organizations. This is preferable to approaches that focus on individual components of cyber defence and may not produce the complete and dynamic approach to cyber security that is required.